[37659] in Kerberos
Re: FAST OTP
daemon@ATHENA.MIT.EDU (Dmitri Pal)
Fri Aug 26 21:25:42 2016
To: kerberos@mit.edu
From: Dmitri Pal <dpal@redhat.com>
Message-ID: <57C0BE29.3010807@redhat.com>
Date: Fri, 26 Aug 2016 18:09:45 -0400
MIME-Version: 1.0
In-Reply-To: <B768F928-1868-482E-9EDE-98E2DFD0C758@gmail.com>
Reply-To: dpal@redhat.com
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 08/26/2016 04:38 PM, Diogenes Jesus wrote:
>
>> I was able to configure a krb5-1.14.2 KDC to use FAST OTP with an RSA Authentication Manager Radius server.
>>
>> I have a couple of questions:
>>
>>
>> ยท FAST requires an existing ticket cache. If you need a TGT to get a FAST OTP TGT how do you do that?
> One way is to enable Anonymous support (http://k5wiki.kerberos.org/wiki/Anonymous_kerberos) - DONT forget to restrict anonymous to tgt only on your kdcs!
>
> Dio
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
OK you can use host key to armor the FAST tunnel for a client system if
your host is also a part of the Kerberos realm.
You can check FreeIPA project, there all these pieces are integrated and
automated.
--
Thank you,
Dmitri Pal
Engineering Director, Identity Management and Platform Security
Red Hat, Inc.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
